Ask HN: Where do you store secrets you can’t easily change if exposed
I’m using/leaving LastPass and following the vault exposure working my way through 100s of password changes. I realised when doing this that I have a bunch of stuff in LP that isn’t so easy to change such as bank card details, word sets to recover access to 2FA protected accounts, SSH keys and passphrases, root passwords etc
What are others using to store these types of secrets?
I’m moving to Bitwarden and although it may support secure notes I’d be interested to hear what others are doing.
4 comments
[ 3.6 ms ] story [ 22.5 ms ] threadMYSECRET=$(pass somesecret | sed -n 3p) somescript
And then the script uses the secret from that specific line to do whatever it needs to do.
For work purposes most of our stuff is cloud based so if a secret is needed by scripts then it goes in a cloud-based secrets manager (for us it’s aws secrets manager or the secure parameter store thing depending) and if it’s for humans then we use one of a couple of methods of sharing securely in teams.
[1] https://www.passwordstore.org/